Skip to content


Why Invest in Internal Audit?

For many organizations, an internal audit function is not required, so why should your organization invest in internal audits? One word says it all – protection. Lessons learned from the financial failures and collapse of organizations over the years point to the importance of good governance, risk management, and internal controls. The purpose of an internal audit is to provide management and the board of directors with independent insight into the business and identify weaknesses that may result in deficiencies and inefficiencies. Initiative-taking organizations have the opportunity to address areas of weakness before they cause material or reputational damage to the business.

Internal audits use a risk-based approach driven by senior management and the board of directors. The risk can be strategic, operational, financial, or compliance in nature. An internal audit facilitates sessions to determine the risks based on management and the board’s risk tolerance. Then an internal audit devises audit plans to perform independent audits of the areas that exceed management’s threshold for risk.

Internal auditors perform audits under the independence, objective, and ethical standards of their profession. This means the board does not need to rely upon management who may not have the availability, independence, or objectivity to perform the assessment. Often management, who has the expertise to conduct assessments of operations and controls, does not have the independence to perform an objective assessment.

The Institute of Internal Auditors (IIA) conducted surveys of Internal Audit Leaders and published the 2024 Risk in Focus Survey Results. Below are the 2024 risk rankings and areas of audit focus for North American organizations. Which of these areas is a pain point for your organization?

2024 North America
Risk Area % Audit Focus Area %
Cybersecurity 85% Cybersecurity 84%
Human Capital 65% Governance/Corporate Reporting 55%
Business Continuity 36% Business Continuity 53%
Regulatory Change 43% Regulatory Change 53%
Market Change 41% Financial Liquidity 46%
Digital Disruption 36% Supply Chain & Outsourcing 38%
Supply Chain & Outsourcing 36% Fraud 26%
Financial Liquidity 28% Human Capital 26%
Geopolitical Uncertainty 28% Digital Disruption 25%
Organizational Culture 21% Health & Safety 21%

Each organization decides the areas of emphasis for their internal audits. If there are skills or availability gaps, the organization can benefit from outsourcing or co-sourcing internal audit to fill the gaps.

The auditing of cybersecurity internal controls is an area that requires skill sets that are in limited supply and often obtained via outsourcing. This is an area of risk that many organizations rely upon the outsourced partner to protect them. Using internal audit cybersecurity experts to assess the services an organization receives can provide valuable insight into their system of internal controls over cybersecurity risks. In many cases, an organization has accountability to provide some controls, as well. Do you know what your cybersecurity service provider is expecting your organization to do? Internal audits not only identify areas of weakness, but also supply knowledgeable recommendations on the most efficient way for an organization to fill the gaps.

The assessment of internal controls to mitigate human capital and organizational culture risks are closely related to governance and corporate reporting risks. It is often difficult to find internal resources with the skills, independence, and objectivity to complete the assessment of internal controls in these areas. For example, senior management and the board often assume that their business code of conduct and ethical expectations are reflected throughout the organization. This is often not the case, especially in an organization that is in a merger and acquisition mode. An independent assessment of a cross section of the organization’s employees provides valuable insight. The assessment can target culture, employee attitudes and skills, or a pain point identified in the table above. These audits can result in difficult discussions with senior management and the board. Internal Audit professionals present the facts so management and the board can be proactive in dealing with issues.

The above areas of cybersecurity and human capital are just two of the many areas where internal audit can provide value for an organization. Watch for future articles on benefits provided by internal audit functions. For more information regarding our internal audit experience, be sure to visit our Internal Audit Services page and don’t hesitate to reach out to a member of our internal audit team, such as Elaine Nissley.

About the Author

Elaine Nissley

Elaine is a Principal with McKonly & Asbury. Her primary responsibilities include management of the Internal Audit & Management Consulting Services group. Elaine handles client relationships and is accountable for the deliv… Read more

Subscribe to Our Newsletter

Contact Us